The Secret Life of ActionScript
Adobe Flash continues to be a popular target for attackers in the wild. As an increasing number of bug fixes and mitigations are implemented, vulnerabilities in increasingly obscure corners of Flash are coming to light. This presentation describes the attack surface of Flash, with a focus on recently discovered vulnerabilities.
It will start with an overview of Flash vulnerabilities found in the past year, and discuss how the most common types of vulnerabilities work, the potential for future vulnerabilities in these areas and methodologies for finding them. It will also cover some recently reported vulnerabilities that are less typical, their discoverability and exploitability.
This talk will also discuss recent Flash and platform mitigations, and how they impact bug quality and discoverability.
Crypto for the People
It’s been a tough couple years for crypto protocols. Almost every month a new vulnerability in TLS come out that flattens everything. In this talk I’ll explain the latest set of cryptographic vulnerabilities in plain english. By the end of the talk you’ll hopefully know the difference between FREAK, LogJam, NOOB, DROWN, POODLE and SLOTH (only one of these is made up). We’ll be breaking good crypto and bad with side-channels, signing oracles and downgrades. I’ll also explain how the latest changes to TLS are supposed to fix things and how the entire house of cards may topple once quantum computers arrive.
Car Hacking: The Past, Present, and Future
You might call 2015 “The Summer of Car Hacking,” with multiple exploits presented and the first-ever cybersecurity-related vehicle recall. It grabbed the attention of manufacturers, regulators, lawmakers, and consumers. But the Summer of Car Hacking didn’t just happen out of nowhere. In this talk, I’ll cover some of the history of car hacking, including some of our earlier results, including taking over a 2009 sedan through cellular connections, Bluetooth, Windows Media files, and infected dealer tools. I’ll also talk about more recent work where we compromised aftermarket insurance dongles to hijack control of vehicles. I’ll discuss how a blind-sighted industry began to take security seriously, and cover where I think the industry is headed.
Mad Dog 380; or, Patching a Handheld Digital Radio
The Tytera MD380 is a digital handheld radio that implements the DMR
(Digital Mobile Radio) standard. Amateur and commercial DMR coverage
is available all across Pizza Rat City, but packet sniffers and
injectors were few and far between. So I jailbroke the firmware, then
recruited a few good neighbors to reverse engineer and patch it. Six
months later, we've built a proper toolchain for the platform,
complete with packet sniffers and our own extensions to the USB
This lecture will cover some of the reverse engineering tricks that
were handing during the project. Among other things, you'll learn how
to locate an audio compression codec in a firmware core dump, how to
break the readout protection of a Cortex M4, and how to listen in on
university police radio networks to find keg parties with the best
The firewall Android deserves: A context-aware kernel message filter and modifier
Android Marshmallow introduced a feature users sorely needed: dynamic permissions. We take this a few steps further by hooking Android's Binder IPC system to give users fine-grained control over messages passed between applications. Because every message in Android passes through Binder, we have all the keys to all the locks. I'll cover how we hooked Binder to modify camera and microphone data, restrict permissions based on environmental context, steal kernel messages and reinsert them (like Netfilter), and allow regex-like parsing of all messages in Android.
That intimate talk about *responsibly* hacking your govt.
In 2010 Mudge accepted a position as a program manager at DARPA where he oversaw cyber security research, and re-built the Agency’s approach to cyber security research. In 2013 Mudge went to work for Google as Deputy Director of their Advanced Technology & Projects division. Then he received a call from the White House and ran off to create a non-profit organization that he isn't talking to people about. Way prior to all of that, Mudge did this little thing called 'the L0pht'.
He is the recipient of the highest medal that the Office of the Secretary of Defense can bestow on a civilian, an honorary Plank Owner of the US Navy Destroyer DDG-85, officially recognized by the EOP and CIA for contributing to critical national missions, and was inducted into the Order of Thor, the US Army’s Association of Cyber Military Professionals. While he's really flattered by all of that, he thinks maybe they have him confused with somebody else. Either way, his mission remains the same: 'make a dent in the universe'.
In the Zone: OS X Heap Exploitation
The most recent literature on exploiting the OS X heap was written in Phrack in 2005. Though the same region allocation scheme is still in use, the implementation has changed significantly. I am going to dive into how the OS X heap is laid out in memory, what is unique about it's region-based allocator, and how this changes common exploitation techniques.
We will also be releasing tooling that works with LLDB to further enhance the users ability to look into the current state of the heap and query the various zones for information. After an overview of the heap and how it is laid out we will present a case study of real world heap exploitation based on vulnerabilities found at Cisco Talos.
Not-so-secure Instant Messaging
The past few years have seen a proliferation of encrypted instant messaging systems, as well as a global debate about the impact of these systems on law enforcement and national security. What hasn’t been asked is: how secure are these systems? In this talk we'll examine some popular secure messaging systems, including Apple iMessage and Telegram. I will describe how a a flaw in Apple’s encryption allowed us to completely decrypt instant messages. I’ll also talk about the future of secure instant messaging, and how governments are reacting to the technology.